x-pack/filebeat/input/cel: default User-Agent broken with OAuth2 before 9.3.0

[chrisberkhout]

Bug report

• Version: < 9.3.0
• Component: Filebeat CEL input

Summary

The Filebeat CEL input does not apply the documented default User-Agent header to CEL-initiated HTTP requests when auth.oauth2 is enabled before 9.3.0.

The default CEL request user-agent behavior was added in #39587 for 8.15.0. The CEL input documentation says:

By default, this value is assigned to all requests' user-agent headers unless the CEL program has already set the user-agent header value.

However, with auth.oauth2 enabled in Filebeat 8.19.0, for example, requests made from the CEL program are sent with Go's default user-agent:

Go-http-client/1.1

instead of the Filebeat user-agent exposed through the CEL useragent global.

Affected versions

I observed this in 8.19.0.

From code inspection, the issue is still present in v8.19.15 and v9.2.8.

It appears fixed on main and in v9.3.0, coincidentally, via #47014.

Steps to reproduce

1. Configure a Filebeat CEL input using auth.oauth2.

filebeat.inputs:
  - type: cel
    interval: 1m
    resource.url: https://example.invalid
    auth.oauth2:
      client.id: test-client
      client.secret: test-secret
      token_url: https://example.invalid/oauth/token
      endpoint_params:
        grant_type: client_credentials
    program: |
      post_request(
        state.url + "/graphql",
        "application/json",
        {"query": "{}"}.encode_json()
      ).do_request().as(resp, {
        "events": []
      })

2. Observe the HTTP request sent by the CEL program, for example with request tracing, a test server, or upstream API logs.

3. Check the request's User-Agent header.

Actual behavior

The CEL request has:

User-Agent: Go-http-client/1.1

Expected behavior

The CEL request should have Filebeat's default user-agent, equivalent to the CEL useragent global, unless the CEL program explicitly sets a User-Agent header.

For example:

User-Agent: Elastic-Filebeat/<version> (...)

Code analysis

In v8.19.0, x-pack/filebeat/input/cel/input.go returns early when OAuth2 is enabled:

if cfg.Auth.OAuth2.isEnabled() {
    authClient, err := cfg.Auth.OAuth2.client(ctx, c)
    if err != nil {
        return nil, nil, err
    }
    return authClient, trace, nil
}

c.Transport = userAgentDecorator{
    UserAgent: userAgent,
    Transport: c.Transport,
}

This means non-OAuth2 clients get the default user-agent wrapper, but OAuth2 clients skip it.

On main, this has changed to:

if cfg.Auth.OAuth2.isEnabled() {
    c, err = cfg.Auth.OAuth2.client(ctx, c)
    if err != nil {
        return nil, nil, nil, nil, err
    }
}

c.Transport = userAgentDecorator{
    UserAgent: userAgent,
    Transport: c.Transport,
}

So the issue appears to be fixed on main but not backported to 8.17.x, 8.18.x, 8.19.x or 9.0.x, 9.1.x, 9.2.x.

Workaround

CEL programs can explicitly set the header:

post_request(
  state.url + "/graphql",
  "application/json",
  body
).with({
  "Header": {
    "Content-Type": ["application/json"],
    "User-Agent": [useragent],
  },
}).do_request()

[infra-vault-gh-plugin-prod]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[github-actions]

tl;dr: This appears to be a real pre-9.3.0 bug — in v9.2.8, the OAuth2 branch returns before userAgentDecorator is applied, so default User-Agent is skipped when auth.oauth2 is enabled; v9.3.0 changed this flow and applies the decorator after OAuth2 client wrapping.

Recommendation
Backport the newClient control-flow fix from v9.3.0 to affected pre-9.3 branches and add a regression test that asserts User-Agent with OAuth2 enabled (including token endpoint coverage).

Findings

1. Docs promise default User-Agent on all requests:

   • docs/reference/filebeat/filebeat-input-cel.md:264 says: "By default, this value is assigned to all requests' user-agent headers..."
   • docs/reference/filebeat/filebeat-input-cel.md:282 says OAuth2 is used for all CEL requests.

2. Current code (main) applies OAuth2 wrapping, then User-Agent decoration:

   • x-pack/filebeat/input/cel/input.go:1260-1270
   • Exact flow:
     • if cfg.Auth.OAuth2.isEnabled() { c, err = cfg.Auth.OAuth2.client(ctx, c) ... }
     • then c.Transport = userAgentDecorator{UserAgent: userAgent, Transport: c.Transport}

3. Pre-9.3 behavior had an early return in OAuth2 path (skipping UA decoration):

   • v9.2.8:x-pack/filebeat/input/cel/input.go:951-957
     • authClient, err := cfg.Auth.OAuth2.client(ctx, c)
     • return authClient, trace, nil
   • v9.2.8:x-pack/filebeat/input/cel/input.go:959-962
     • c.Transport = userAgentDecorator{...} (unreached when OAuth2 is enabled)

4. v9.3.0 changed that control flow:

   • v9.3.0:x-pack/filebeat/input/cel/input.go:989-999
   • OAuth2 no longer early-returns; decorator is applied after OAuth2 wrapping.

5. OAuth2 client path reuses provided HTTP client via context:

   • x-pack/filebeat/input/cel/config_auth.go:257 sets oauth2.HTTPClient in context.
   • This supports the hypothesis that decoration order affects token and/or request behavior.

6. Coverage gap in tests:

   • UA tests exist without OAuth2: x-pack/filebeat/input/cel/input_test.go:759-775, 801-823, 917-937.
   • OAuth2 test exists but does not assert UA: x-pack/filebeat/input/cel/input_test.go:2757-2773, 2777-2800.

Verification

I ran scoped tests in the CEL input package:

$ GOTOOLCHAIN=auto go test -v ./x-pack/filebeat/input/cel -run 'TestInput/(GET_request_check_user_agent_default|GET_request_check_user_agent_user_defined|GET_request_check_user_agent_none|GET_headers|OAuth2)$'
=== RUN   TestInput
=== RUN   TestInput/GET_request_check_user_agent_default
=== RUN   TestInput/GET_request_check_user_agent_user_defined
=== RUN   TestInput/GET_headers
=== RUN   TestInput/GET_request_check_user_agent_none
=== RUN   TestInput/OAuth2
--- PASS: TestInput (0.04s)
    --- PASS: TestInput/GET_request_check_user_agent_default (0.01s)
    --- PASS: TestInput/GET_request_check_user_agent_user_defined (0.00s)
    --- PASS: TestInput/GET_headers (0.00s)
    --- PASS: TestInput/GET_request_check_user_agent_none (0.00s)
    --- PASS: TestInput/OAuth2 (0.01s)
PASS
ok   github.com/elastic/beats/v7/x-pack/filebeat/input/cel (cached)

These confirm current behavior and highlight the missing OAuth2+UA assertion path.

Detailed Action Plan

1. For each affected pre-9.3 branch, patch x-pack/filebeat/input/cel/input.go in newClient so OAuth2 does not early-return before UA decoration.

   • Align with v9.3.0:x-pack/filebeat/input/cel/input.go:989-999 behavior.

2. In x-pack/filebeat/input/cel/input_test.go, add OAuth2 regression coverage:

   • Extend OAuth2 handlers to assert r.UserAgent() == userAgent for the API request.
   • Add assertion on /token request User-Agent as well (to cover token fetch path).
   • Add a variant with explicit CEL User-Agent header to verify override behavior remains correct.

3. Run focused tests:

   • go test -v ./x-pack/filebeat/input/cel -run TestInput/OAuth2
   • go test -v ./x-pack/filebeat/input/cel -run 'TestInput/(GET_request_check_user_agent_default|GET_request_check_user_agent_user_defined|GET_request_check_user_agent_none|OAuth2)$'

4. If backport PRs are created, reference this issue and note that fix is parity with the v9.3.0 control-flow change.

Related Items

Type	Link	Relevance
Issue	#39502	Original enhancement request for CEL default User-Agent
PR	#39587	Added default User-Agent behavior to CEL requests
PR	#47014	OTEL metrics refactor where OAuth2/UA control flow changed; first tag containing commit includes v9.3.0
File	x-pack/filebeat/input/cel/input.go	Core client construction/auth/UA decoration logic
File	x-pack/filebeat/input/cel/config_auth.go	OAuth2 HTTP client wrapping via oauth2.HTTPClient context
File	x-pack/filebeat/input/cel/input_test.go	Existing UA and OAuth2 tests; regression gap location
Docs	docs/reference/filebeat/filebeat-input-cel.md:264	Documented default UA behavior

Note

🔒 Integrity filter blocked 5 items

The following items were blocked because they don't meet the GitHub integrity level.

• #50867 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #50867 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #48440 search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #34609 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• x-pack/filebeat/input/cel: default User-Agent broken with OAuth2 before 9.3.0 #50867 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: Issue Triage

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[efd6]

It does actually affect main. The ordering of the transports is incorrect; this is demonstrated by a test.